D17. How Can I Protect Against Ip Spoofing Attacks - ZyXEL Communications ZyWALL 5 Support Notes

(C) To resolve this conflict, we add an option for users to allow/disallow such Triangle Route topology
in both CI command and Web configurator. You can issue this command, "sys firewall ignore triangle all
on", to allow firewall bypass triangle route checking. In Web GUI, you can find this option in firewall
setup page.
But we would like to notify that if you allow Triangle Route, any traffic will be easily injected into the
protected network through the unprotected gateway. In fact, it's a security hole in your protected network.

D17. How can I protect against IP spoofing attacks?

The ZyWALL's firewall will automatically detect the IP spoofing and drop it if the firewall is turned on.
If the firewall is not turned on we can configure a filter set to block the IP spoofing attacks. The basic
scheme is as follows:
For the input data filter:
•
Deny packets from the outside that claim to be from the inside
•
Allow everything that is not spoofing us
Filter rule setup:
•
Filter type =TCP/IP Filter Rule
•
Active =Yes
•
Source IP Addr =a.b.c.d
•
Source IP Mask =w.x.y.z
•
Action Matched =Drop
•
Action Not Matched =Forward
Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask:
For the output data filters:
•
Deny bounce back packet
•
Allow packets that originate from us
Filter rule setup:
•
Filter Type =TCP/IP Filter Rule
•
Active =Yes
All contents copyright (c) 2006 ZyXEL Communications Corporation.
ZyWALL 5 Support Notes
268